Legal claims defining the scope of protection, as filed with the USPTO.
1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, the method comprising: maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; identifying a network flow for processing by the cluster; assigning the network flow to a selected one of the cluster computing devices; aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises session keys of network flows assigned to the two or more cluster computing devices, each network flow being established between a respective one of the two or more cluster computing devices and an external client; and configuring the assigned cluster computing device to process network traffic associated with the network flow.
2. The computer-readable storage medium of claim 1 , wherein processing network traffic comprises subjecting network traffic associated with the flow to a security policy.
3. The computer-readable storage medium of claim 1 , further comprising configuring an inbound network interface communicatively coupling the cluster computing devices to a network to forward network traffic associated with the network flow to the assigned cluster computing device.
4. The computer-readable storage medium of claim 1 , wherein the network flow is assigned to a cluster computing device according to one or more flow assignment rules.
5. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that related network flows are to be assigned to the same cluster computing device.
6. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that related forward and reverse network flows are to be assigned to the same cluster computing device.
7. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that flows relating to the same protocol connection are to be assigned to the same cluster computing device.
8. The computer-readable storage medium of claim 7 , wherein one of the one or more flow assignment rules specifies that file transfer protocol (FTP) control network flows are to be assigned to the same cluster computing device that is handling related FTP data network flows and vice versa.
9. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that flows associated with the same tunnel are to be assigned to the same cluster computing device.
10. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that flows associated with the same tunnel switch are to be assigned to the same cluster computing device.
11. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that network flows sharing the same security information are to be assigned to the same cluster computing device.
12. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that network flows sharing the same security association are to be assigned to the same cluster computing device.
13. The computer-readable storage medium of claim 12 , wherein the flow assignment rule specifies that network flows sharing the same inbound security association are to be assigned to the same cluster computing device, and that network flows sharing the same outbound security association are to be assigned to the same cluster computing device.
14. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that all Internet Protocol Security (IPSec) flows associated with a particular peer are to be assigned to the same cluster computing device.
15. The computer-readable storage medium of claim 4 , wherein one of the one or more flow assignment rules specifies that flows associated with the same secure tunnel are to be assigned to the same cluster computing device.
16. A system comprising: a cluster comprising a plurality of communicatively coupled computing devices, wherein one of the cluster computing devices is configured to operate as a cluster master, and wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; and a network interface communicatively coupling the cluster to an external network; a flow assignment module implemented on the cluster master computing device and configured to assign network flows to the cluster computing devices according to one or more flow assignment rules, wherein the cluster computing devices are configured to receive inbound network traffic via the network interface, and wherein each of the cluster computing devices comprises a traffic processing module configured to ignore inbound network traffic that is not associated with a network flow assigned thereto, and to process inbound network traffic related to network flows that are assigned to the cluster computing device according to a security policy, wherein the cluster master is configured to aggregate flow session data received from two or more of the cluster computing devices, and wherein the flow session data comprises cache data of network flows with respective clients in an external network assigned to the two or more cluster computing devices, and wherein assigning the network flow to a selected cluster computing device comprises configuring a flow processing module of the selected cluster computing device to identify and process network traffic associated with the assigned network flow.
17. The system of claim 16 , wherein responsive to receiving inbound network traffic from the external network, the flow assignment module is configured to determine whether a cluster computing device has been assigned to a network flow corresponding to the inbound network traffic, wherein if no cluster computing device is assigned to the corresponding network flow, the flow assignment module is configured to assign the flow to one of the cluster computing devices according to the one or more flow assignment rules, and wherein if a cluster computing device has been assigned to the corresponding network flow, the flow assignment module ignores the inbound network traffic.
18. The system of claim 17 , wherein assigning the network flow to a cluster computing device comprises updating a flow assignment data structure to associate the network flow with one of the cluster computing devices.
19. The system of claim 16 , wherein assigning the network flow to a selected cluster computing device comprises transmitting the inbound network traffic to the selected cluster computing device.
20. The system of claim 17 , wherein assigning the network flow to a selected cluster computing device comprises configuring the network interface to forward network traffic associated with the network flow to the selected cluster computing device.
21. The system of claim 16 , wherein the one or more flow assignment rules comprise flow assignment rules specifying that related forward and reverse network flows, flows related to the same tunnel, the same protocol connection, and/or the same tunnel switch are to be assigned to the same cluster computing device.
22. The system of claim 16 , wherein the one or more flow assignment rules comprise flow assignment rules specifying that flows sharing the same security information are to be assigned to the same cluster computing device.
23. The system of claim 22 , wherein one of the one or more flow assignment rules specifies that network flows associated with the same secure tunnel are to be assigned to the same cluster computing device.
24. The system of claim 22 , wherein one of the one or more flow assignment rules specifies that secure network flows to the same external peer are to be assigned to the same cluster computing device.
25. The system of claim 22 , wherein one of the one or more flow assignment rules specifies that network flows sharing the same security association are to be assigned to the same cluster computing device.
26. The system of claim 22 , wherein one of the one or more flow assignment rules specifies that network flows sharing the same inbound security association are to be assigned to the same cluster computing device, and network flows sharing the same outbound security association are to be assigned to the same cluster computing device.
27. The system of claim 16 , further comprising a shared Internet Key Exchange (IKE) module implemented on the cluster master computing device, wherein the cluster computing devices are configured to negotiate security associations using the shared IKE module.
28. A method for assigning network flows within a cluster comprising a plurality of computing devices, the method comprising: maintaining a flow assignment data structure comprising mappings between network flows and computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; receiving network traffic on a network interface, the network traffic corresponding to a network flow; assigning the network flow to a selected one of the plurality of computing devices by: identifying one or more computing devices that are eligible to be assigned the received network flow using the flow assignment data structure and one or more flow assignment rules, selecting one of the one or more eligible computing devices according to a selection criteria, and configuring the selected computing device to process network traffic associated with the received network flow; and aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises security association sequences of network flows between each of the two of more cluster computing devices and respective computing devices in an external network.
29. The method of claim 28 , further comprising transmitting the received network traffic to the selected computing device.
30. The method of claim 29 , further comprising configuring the network interface to forward network traffic corresponding to the network flow to the selected computing device.
31. The method of claim 29 , wherein one of the one or more traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow that is related to the received network flow.
32. The method of claim 29 , wherein one of the one or more of the traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow that shares security information with the received network flow.
33. The method of claim 32 , wherein one of the one or more traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow sharing a secure tunnel with the received network flow.
34. A method for processing network traffic by a computing device in a cluster comprising a plurality of computing devices, comprising: receiving a network flow assignment to assign one or more network flows to the computing device from a cluster master, wherein the computing device is communicatively coupled to an external network interface and is capable of processing network flows independently of the cluster master; receiving network traffic relating to a plurality of different network flows; processing the received network traffic by: identifying network traffic associated with network flows assigned to the computing device, processing the identified network traffic according to a security policy, and dropping network traffic that is not identified as associated with a network flow assigned to the computing device; and transmitting flow session data to a cluster master via a network interface, the flow session data comprising a session key of a network flow assigned to the computing device and comprising a network connection between the computing device and a client.
35. The method of claim 34 , further comprising maintaining a flow assignment data structure identifying the one or more network flows assigned to the computing device.
36. The method of claim 35 , wherein the flow assignment data structure identifies network flows using one selected from a source address of the assigned network flow, a destination address of the assigned network flow, a protocol of the assigned network flow, and a port assignment of the assigned network flow.
37. The method of claim 34 , further comprising: for each of the assigned network flows: maintaining run-time synchronization data associated therewith, and synchronizing the run-time synchronization data to a cluster master computing device.
38. The method of claim 35 , wherein processing the identified network traffic comprises negotiating a security association, the method further comprising accessing a shared Internet Key Exchange (IKE) service provided by one of the cluster computing devices to perform the security association negotiation.
39. A cluster computing device, comprising: a communication interface communicatively coupled to an external network interface and a cluster interface; and a traffic processing module operable on a processor of the cluster computing device and configured to receive a network flow assignment from a cluster master via the cluster interface, the network flow assignment identifying one or more network flows assigned to the cluster computing device, wherein the traffic processing module is configured to receive network traffic associated with a plurality of different network flows on the external network interface independently of the cluster master, and wherein upon receiving the network traffic, the traffic processing module is configured to identify network traffic associated with the one or more network flows assigned to the cluster computing device, to process the identified network traffic according to a security policy, and to drop network traffic that is not identified as assigned to the cluster computing device, and wherein the cluster computing device is configured to transmit flow session data to the cluster master on the cluster interface, the flow session data comprising cache data of a network flow assigned to the cluster computing device and pertaining to a network connection between the cluster computing device and a client computing device.
40. The cluster computing device of claim 39 , wherein the cluster computing device is configured to maintain a flow assignment data structure identifying the one or more network flows assigned thereto, and wherein the traffic processing module identifies the network traffic assigned to the cluster computing device using the flow assignment data structure.
41. The cluster computing device of claim 40 , wherein the flow assignment data structure identifies network flows assigned to the cluster computing device based upon one selected from a source address of the assigned network flow, a destination address of the assigned network flow, a protocol of the assigned network flow, and a port assignment of the assigned network flow.
42. The cluster computing device of claim 39 , wherein the flow processing module is configured to maintain run-time synchronization data associated with each of the network flows assigned to the cluster computing device, and to synchronize the runtime synchronization data to a cluster master computing device via the cluster interface.
43. The cluster computing device of claim 39 , wherein processing the identified network traffic comprises negotiating a security association, and wherein the flow processing module is configured to access a shared Internet Key Exchange (IKE) service provided by one of the cluster computing devices to perform the security association negotiation.
Unknown
March 5, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.